If you've worked through all the previous chapters, you have a fully functional vertical slice of the JAW Motors application that allows you to run a credit check and view, add, edit (update), delete, and buy cars. Although this works, there's a gaping holeanyone with a browser who knows the application's URL can modify JAW Motors' inventory. So we need to add security to the application. In this chapter, we'll secure the "Car Inventory" and "Add/Edit Car" pages so that only authorized users can modify cars in the inventory. We won't secure the "Buy Car" or "Run Credit Check" pages (and their underlying functionality) because we still want all users to be able to buy a car or run a credit check without having to log in. We'll discuss J2EE web-based security, Java Authentication & Authorization Service (JAAS), and EJB security. Along the way we'll show how to deploy these security mechanisms on JBoss.